Fake white hats turn to bug poaching

When someone uncovers a vulnerability in an organisation’s network, the ethical action is to notify them of the problem and provide the necessary information to help them address the issues. The wrong thing to do is demand some kind of a payment before disclosing any details.

Yet IBM X-Force researchers have investigated more than 30 incidents over the past year where attackers did exactly that. These intruders broke into enterprise networks, stole files or collected information, then sent a message to the victim organisation offering to reveal the website vulnerabilities they exploited for a set fee. It’s not a nominal amount, either, as the attackers have demanded payments in excess of $30,000 (€26,328).

“This is all being done under the disguise of pretending to be a good guy when, in reality, it is pure extortion on the black hat scale,” wrote John Kuhn, a senior threat researcher at IBM Security.

Bug poaching, as it is called by IBM X-Force, is a type of ransomware attack, but instead of malware holding the data hostage, the attackers want a pay-out before they do anything damaging. The difference is the veneer of respectability these attackers are hiding under.

The email message sent to the organisation contains proof of the intrusion, typically a link to some other site hosting the stolen files, but doesn’t explicitly threaten to sell the data or attack the organisation again. The “or else” scenario where the attackers may do something malicious if the payment doesn’t come through is implied.

The attackers may even claim to be one of the good guys, making statements such as, “Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun.”

Not a public serviceA typical bug-poaching incident begins simply enough, with an attacker finding and exploiting vulnerabilities on the organisation’s website. SQL injection was the most prevalent method, though attackers may also be using off-the-shelf penetration testing tools. Once in, the attacker grabs sensitive data from the network and stores the information on a remote server. The email message — an extortion demand at this point — demands a payment if the organisation wants to know how the attacker got in and stole the data.

Since the attacker did not try to sell the data or damage any systems during the intrusion, he can pretend to be a white hat trying to do the organisation a favour. However, stealing, even with supposedly good intentions, is black hat behaviour.

“Regardless of their rationale, this is data theft and extortion,” Kuhn said.

Muddying bug bounty effortsThese poachers are also not doing white hat researchers any favours, as reporting vulnerabilities is already difficult. There have been many reports of researchers threatened with legal action after they disclosed software vulnerabilities and website flaws to the affected organisation. The FBI recently raided the home of a security researcher who notified a dental-industry software company that private patient data was stored on a publicly accessible server. There is enough distrust between white hats and enterprises that there is no need to complicate the relationship further.

The attempt to wrangle payment for vulnerabilities also harms the security industry’s recent efforts to get enterprises to establish bug bounty programmes. A formal bug bounty programme invites researchers to look for vulnerabilities — within specified parameters — and offers rewards for finding them.

While ride-sharing company Uber and automaker Tesla recently set up bug bounty programmes, many organisations still resist, fearing that these programmes could be abused by extortionists.

Consider the recent debacle when a security researcher publicly posted information about vulnerabilities in FireEye’s security appliances because the company wouldn’t pay him for reporting the flaws. FireEye doesn’t have a bug bounty programme, and the researcher wanted compensation for his work. The standoff benefited no one and instead widened the gulf of mistrust between enterprises and security researchers.

Trusting thievesDespite the poachers’ claims that they aren’t being malicious, the victim organisation has to proceed the same as any other network intrusion and data breach. The victim can’t count on attacker to protect the stolen data, and someone else could potentially find it. There is no guarantee that attackers won’t just dump the data or sell it, even if the organisation made the payment.

“To put it mildly, trusting unknown parties to secure sensitive corporate data — particularly those who breached an organisation’s security measures without permission — is not a security best practice,” Kuhn wrote.

Victims of bug poaching attacks should gather all the information they have, including the email demands and logs from affected servers, and hand them over to law enforcement. Complying with the payment demand is problematic because it rewards criminal behaviour. There is the possibility the attacker will not disclose all the issues and hold back a flaw or two for future attempts. Paying also sets a precedent, as other adversaries can follow suit with their own extortion demands.

IBM X-Force warned that while bug poaching may seem less threatening, they pose a serious threat to organisations. It’s easy to see a time where the bug poachers can escalate their operations to something on the scale of the Poseidon Group, the audacious Brazilian criminal outfit unmasked by Kaspersky Lab earlier this year. The Poseidon Group used malware to infiltrate enterprise networks and steal information, then posed as security consultants the organisation could hire to fix the issues in the networks.

Incident response and forensics are keyInstead of paying extortion demands, organisations should rely on their own forensics investigation to uncover the attack and identify the vulnerability. Incident response teams should respond to a poaching attacks similar to how they would a suspected data breach. Having detailed logs on web servers and other parts of the network would help with the investigation.

Utilising a defence-in-depth strategy would help protect enterprises from bug poaching. Run vulnerability scans on public websites, as well as internal and external systems, on a regular basis. There should be no reason to have SQL injection flaws in websites in 2016. Test and audit all Web application code before production. Finding and fixing SQL injection flaws alone slash the number of website attacks drastically. Penetration testing can help uncover Web application vulnerabilities, and having SIEM technology and other network monitoring tools would reduce the amount of time needed for a forensics investigation.

None of the cases investigated by IBM used significant zero-day vulnerabilities, but rather used easily preventable methods.

“While bug poaching demands may not feel as severe as sophisticated attacks that expose your data to carding forums or pasting sites, you should treat them equally as seriously,” Kuhn wrote. Make no mistake, what these actors are doing does not fall under public service. They aren’t the good guys.